Four npm packages under the @asyncapi namespace have been found distributing a sophisticated botnet loader, according to research from OX Security and others. These packages, which were compromised to deliver a multi-stage malware, pose a significant threat to software supply chains.
Identified Compromised Packages
The compromised packages include @asyncapi/[email protected], @asyncapi/[email protected], @asyncapi/[email protected], and @asyncapi/specs versions 6.11.2 and 6.11.2-alpha.1. Each package contains a concealed JavaScript implant designed to activate malicious code upon module loading in Node.js.
Once executed, the implant downloads an obfuscated second-stage payload known as Miasma from IPFS. This payload is specifically designed to operate in the background, launching a detached node process to continue its execution.
Technical Details of the Payload
The second-stage payload involves an encrypted JavaScript loader, ‘sync.js,’ which is executed in system-specific paths. The loader is responsible for decrypting the final JavaScript payload and incorporates a large encrypted blob for its spawn-chain framework.
This framework includes 744 modules, facilitating multiple command-and-control communication channels such as HTTP, IPFS, and Ethereum smart contracts. The malware supports various malicious activities, including credential theft and propagation across npm, PyPI, and Cargo registries.
Investigation and Response
OX Security’s analysis revealed similarities with previous campaigns but confirmed that this malware is distinct from the known Miasma and Shai-Hulud threats. The malware includes mechanisms to evade detection in virtual environments and systems with specific security tools installed.
It’s noted that the attacker managed to gain push access to the repositories, leveraging GitHub Actions to release these packages with legitimate provenance attestations. This highlights a critical vulnerability in CI/CD workflows, where the attack did not require stealing npm tokens but exploited the release pipeline itself.
Following the discovery, all affected package versions have been removed from the npm registry. Developers are advised to consider endpoints that interacted with these packages as potentially compromised, especially if the modules were part of active build or developer workflows.
Security experts emphasize the importance of verifying CI/CD pipelines and maintaining vigilance against such sophisticated supply chain attacks, underscoring the ongoing need for robust security practices in software development.
